NHS Direct wrongly emailed patients' data

An email sent by the NHS advice service mistakenly disclosed personal information about patients, although it did not leave the health service.

The organisation's annual report for 2008-09 reveals that the information, including the names, addresses, NHS numbers, dates of birth and clinical data of about 100 patients, was disclosed without authorisation in October last year.

In a statement to GC News, NHS Direct said that this happened when a spreadsheet was emailed to three people in error. The recipients were two project managers working in separate parts of the NHS, as well as an NHS Direct staff member.

"The staff involved acted immediately and the incident was realised and contained within 12 hours and the data deleted," said a spokesperson for NHS Direct. "None of the information went into the public domain and the incident was reported to the information commissioner."

She added: "NHS Direct takes data protection very seriously and we regularly review our processes and train our staff in order to ensure that we fulfil our responsibilities in this area."

The annual report also says that during 2008-09 NHS Direct answered about 5m calls. The agency says that more than 50% of these calls were handled entirely by NHS Direct, relieving pressure elsewhere on the health service. It has developed decision support software and provided further training for staff with the aim of improving this further during the coming year.